asp.net – 使用ClientId和ClientSecret进行Web API授权
我在我的web api授权中使用OWIN / Katana中间件.
流动. 我正在向请求客户端发出acess_token和refresh_token. access_token具有短暂的生命周期,而refresh_token有很长的到期时间. 像往常一样,如果access_token到期,它将使用refresh_token请求另一个access_token. 现在,我的问题.由于我的refresh_token有很长的生命周期,看起来它失败了短命的access_token的目的.让我们说如果refresh_token被泄露,黑客仍然可以得到access_token,对吧? 我查看了google和microsoft的OAuth实现,看起来除了refresh_token之外,他们还需要提供这个额外的参数.这是client_id和client_secret.看起来它们是在API的开发者页面上登录时生成的. 现在,我如何在我的项目中实现它?我想要覆盖令牌创建并在ClientId和ClientSecret上创建令牌哈希. 我正在使用最新的web api的基本OWIN / Katana身份验证,我不打算使用像Thinktecture这样的其他授权服务器.我只想使用ASP.NET Web API 2默认提供的基本功能 Startup.OAuth.cs public partial class Startup { static Startup() { PublicClientId = "self"; UserManagerFactory = () => new UserManager<IdentityUser>(new AppUserStore()); var tokenExpiry = Convert.ToInt32(System.Configuration.ConfigurationManager.AppSettings["ApiTokenExpiry"]); OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"),Provider = new ApplicationOAuthProvider(PublicClientId,UserManagerFactory),AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(tokenExpiry),AllowInsecureHttp = true,RefreshTokenProvider = new AuthenticationTokenProvider { OnCreate = CreateRefreshToken,OnReceive = ReceiveRefreshToken,} }; } private static void CreateRefreshToken(AuthenticationTokenCreateContext context) { var tokenExpiry = Convert.ToInt32(System.Configuration.ConfigurationManager.AppSettings["ApiTokenExpiry"]); var refreshTokenExpiry = Convert.ToInt32(System.Configuration.ConfigurationManager.AppSettings["ApiRefreshTokenExpiry"]); var refreshTokenProperties = new AuthenticationProperties(context.Ticket.Properties.Dictionary) { IssuedUtc = context.Ticket.Properties.IssuedUtc,ExpiresUtc = DateTime.UtcNow.AddMinutes(tokenExpiry + refreshTokenExpiry) // add 3 minutes to the access token expiry }; var refreshTokenTicket = new AuthenticationTicket(context.Ticket.Identity,refreshTokenProperties); OAuthOptions.RefreshTokenFormat.Protect(refreshTokenTicket); context.SetToken(context.SerializeTicket()); } private static void ReceiveRefreshToken(AuthenticationTokenReceiveContext context) { context.DeserializeTicket(context.Token); } } ApplicationOAuthProvider.cs public class ApplicationOAuthProvider : OAuthAuthorizationServerProvider { private readonly string _publicClientId; private readonly Func<UserManager<IdentityUser>> _userManagerFactory; public ApplicationOAuthProvider(string publicClientId,Func<UserManager<IdentityUser>> userManagerFactory) { if (publicClientId == null) { throw new ArgumentNullException("publicClientId"); } if (userManagerFactory == null) { throw new ArgumentNullException("userManagerFactory"); } _publicClientId = publicClientId; _userManagerFactory = userManagerFactory; } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { using (UserManager<IdentityUser> userManager = _userManagerFactory()) { IdentityUser user = await userManager.FindAsync(context.UserName,context.Password); if (user == null) { context.SetError("invalid_grant","The user name or password is incorrect."); return; } ClaimsIdentity oAuthIdentity = await userManager.CreateIdentityAsync(user,context.Options.AuthenticationType); ClaimsIdentity cookiesIdentity = await userManager.CreateIdentityAsync(user,CookieAuthenticationDefaults.AuthenticationType); AuthenticationProperties properties = CreateProperties(user.UserName); AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity,properties); context.Validated(ticket); context.Request.Context.Authentication.SignIn(cookiesIdentity); } } } 解决方法
摘要 –
>导航到https://console.developers.google.com/ 如果您仍不确定,请参阅此链接:https://developers.google.com/accounts/docs/OAuth2Login#getcredentials 它描述了如何获取clientID和clientSecret. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- asp.net-mvc – 通过Post和ASP.NET MVC上传Amazon S3
- IIS或ASP.NET是否创建了包含请求URL的ETW事件?
- asp.net-mvc – 以Razor语法为Telerik MVC Grid定义一个Tem
- 一个简答的Access下的分页asp.net代码
- asp.net-mvc – ASP MVC中的“@”是什么意思/做什么?
- asp.net-core – 使用dotnet pack包含所有依赖项
- asp.net – 如何从搜索引擎中完全隐藏网站?
- 带有子项的ASP.NET自定义/用户控件
- asp.net – RouteTable.Routes和HttpConfiguration.Routes之
- asp.net-core-1.0 – ASP.NET Core 1.0中的package.json
- asp.net – K运行时使用的.Net完整框架和.Net Co
- asp.net – 是否有可能过滤SignalR中的接收器?
- asp.net – 转义HTML实体并避免WebForm标签中的H
- ASP.NET MVC和Angularjs与ASP.NET MVC和Reactjs
- asp.net-mvc – 如何在ASP.NET MVC中传递页面的元
- asp.net-mvc – 更新用户声明不起作用.为什么?
- 扩展Asp.Net需要帮助
- asp.net-mvc – ASP.NET MVC应用程序的论坛解决方
- ASP.NET – 从不调用以编程方式创建的按钮的事件
- asp.net-mvc-3 – 在MVC和Razor中创建向导步骤